b"          Pension Benefit Guaranty Corporation\n                 Office of Inspector General\n                               Evaluation\n\n\n\n\n Fiscal Year 2011 Vulnerability Assessment and Penetration\n                       Testing Report\n\n\n\n              RESTRICTED DISCLOSURE\nThis document contains privileged and confidential information, and was\nproduced at the direction of the Pension Benefit Guaranty Corporation, Office of\nInspector General. It may not be disclosed, reproduced, or disseminated without\nthe express permission of the Inspector General.\n\n\n\n\n                             March 19, 2012\n                                                         EVAL-2012-7/FA-11-82-5\n\x0c                               Pension Benefit Guaranty Corporation\n                                Office of Inspector General\n                                1200 K street, N.W., Washington, D.C. 20005-4026\n\n\n                                                                                         March 19,2012\n\n\n\nTo:             Joshua Gotbaum\n                Director\n                Pension Benefit Guaranty Corporation\n\nFrom:           Joseph A. Marchowsky      ~      Cl    ~\n                Assistant Inspector General for Audit\n\nSubject:        Fiscal Year 2011 Vulnerability Assessment and Penetration Testing\n                (EVAL-2012-7/FA-11-82-5)\n\nI am pleased to transmit the attached Restricted Disclosure repori detailing results of the\nvulnerability assessment and penetration testing evaluation performed in conjunction with the audit\nof the Pension Benefit Guaranty Corporation (PBGC) fiscal year 2011 financial statements (AUD-\n2012-lIFA-11-82-1).\n\nDuring the financial statement audit, our independent public accountant, CliftonLarsonAllen LLP\n(formerly Clifton Gunderson, LLP), assessed the PBGC information security infrastructure to test for\ntechnical weaknesses in PBGC's computer systems that may allow employees or outsiders to cause\nharm to, and/or impact PBGC's business processes and information. In its assessment,\nCliftonLarsonAllen found major issues of concern in patch management, access controls, and\nconfiguration management; many of the vulnerabilities identified were repeated from prior years.\nFUliher, CliftonLarsonAllen also reported that PBGC's inefficient network design exposed the\nCorporation to slow network performance and limited or no connection to the Internet.\n\nCritical vulnerabilities are defined as flaws that could be easily exploited by a remote attacker with\nno password (i.e. unauthenticated) and lead to system compromise without requiring user interaction.\nHigh severity vulnerabilities are flaws that can easily compromise the confidentiality, integrity or\navailability of resources. CliftonLarsonAllen's testing disclosed many more technical weaknesses\n(vulnerabilities) than in prior years. Urgent attention is required to mitigate or eliminate all critical\nand high severity technical weaknesses.\n\nPBGC's efforts to address vulnerabilities identified should include an effective continuous\nmonitoring program to scan for vulnerabilities, the timely application of patches and updates,\nstronger passwords, and network design changes to mitigate the risk of interruptions.\n\nPBGC has acknowledged that attention is needed to mitigate the vulnerabilities identified by\nOIG. In response to our evaluation the ChiefInformation Officer has created a team to address\nreported weaknesses and has committed to the mitigation of critical and high vulnerabilities\n\x0cJoshua Gotbaum                                                                                            2\n\n\nwithin 90 days. Additionally, PBGC has obtained contract support to perform monthly scans.\nOIG will follow-up on the proactive steps taken PBGC; we are encouraged by the immediate\naction to improve the Corporation's IT security.\n\nDue to the sensitive nature of this report, its disclosure has been restricted. This transmittal\nmemorandum will be posted to the OIG external website, but the attachment summarizing our\nevaluation will be redacted in its entirety because it contains privileged and confidential information\nthat, if disclosed, would cause fUlther vulnerability.\n\nWe appreciate the cooperation that CliftonLarsonAllen and the OIG received while performing the\ntesting.\n\n\nAttachment\n\x0c                                                    Attachment\n\n\n\n\nThe presentation summarizing PBGC\xe2\x80\x99s vulnerability\n assessment contains confidential and proprietary\n       information and has been redacted.\n\n                        .\n\x0cIf you want to report or discuss confidentially any instance of misconduct,\n   fraud, waste, abuse, or mismanagement, please contact the Office of\n                             Inspector General.\n\n\n\n                              Telephone:\n                   The Inspector General\xe2\x80\x99s HOTLINE\n                           1-800-303-9737\n\n          The deaf or hard of hearing, dial FRS (800) 877-8339\n           and give the Hotline number to the relay operator.\n\n\n\n                                   Web:\n               http://oig.pbgc.gov/investigation/details.html\n\n\n\n                                Or Write:\n                 Pension Benefit Guaranty Corporation\n                      Office of Inspector General\n                            PO Box 34177\n                    Washington, DC 20043-4177\n\x0c"